httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 13032] New: - SetEnvIf[NoCase] doesn't allow you to test if an attribute does not match the regex
Date Thu, 26 Sep 2002 13:25:02 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13032>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=13032

SetEnvIf[NoCase] doesn't allow you to test if an attribute does not match the regex

           Summary: SetEnvIf[NoCase] doesn't allow you to test if an
                    attribute does not match the regex
           Product: Apache httpd-1.3
           Version: 1.3.26
          Platform: PC
        OS/Version: Netware
            Status: NEW
          Severity: Minor
          Priority: Other
         Component: Other
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: S.M.Flood@ucs.cam.ac.uk


Module: mod_setenvif

I'm trying to use the SetEnvIf and SetEnvIfNoCase directives to determine which 
log file a request should get logged to based on the values of the Request_URI 
and Remote_Host variables.

I'm using SetEnvIfNoCase to set three flags when a request is a Code Red/Nimda 
probe - attack, attack_uk, and attack_not_uk - and then I'm unsetting the 
relevant one depending on whether the request came from a UK- or non-UK-based 
machine.

Although I've flagged this as a problem with Apache/1.3.26 on NetWare I've also 
found this to be the case with Apache/1.3.26 on Windows NT 4.0 Workstation.

The relevant lines from my httpd.conf file are:

SetEnvIfNoCase Request_URI "cmd\.exe"      attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "root\.exe"     attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "default\.ida"  attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "msadcs\.dll"   attack attack_uk attack_not_uk
SetEnvIfNoCase Request_URI "pbserver\.dll" attack attack_uk attack_not_uk

SetEnvIfNoCase Request_URI "^/default\.ida" default_ida

SetEnvIfNoCase Remote_Host \.uk$  !attack_not_uk access_uk
SetEnvIfNoCase Remote_Host !\.uk$ !attack_uk

CustomLog logs/access.log   common env=!attack
CustomLog logs/accessuk.log common env=access_uk
CustomLog logs/attackuk.log common env=attack_uk
CustomLog logs/attack.log   common env=attack_not_uk
CustomLog logs/default.log  common env=default_ida

Basically the 'SetEnvIfNocase Remote_Host !\.uk$ !attack_uk" isn't working and 
I think it's because the '!' in front of the regex is getting ignored.  I've 
also tried enclosing the whole regex in '"'s plus all except the '!' but it 
doesn't make any difference.

accessuk.log is correctly logging just accesses from machines with DNS names 
ending ".uk".

As an aside I'm finding that requests for 'default\.ida' are not getting 
interpreted as attacks hence the reason for adding '^/default\.ida' as a test 
but I haven't had one of these probes since implementing this!  Though if I 
telnet in and enter the appropriate request it does log it correctly.

BTW the reason for wanting to log all UK-based attacks to a separate file is so 
that I can pass it on to our local CERT team.  Since they receive so many 
attack reports from around the University they're only really interested in UK-
based probes that they can then pass on to the JANet (Joint Academic Network) 
CERT team for action.

Am I right in thinking that '!' isn't working or is even supposed to work?

If it isn't supposed to work what is the alternative?

Many thanks,

Simon Flood, Computer Officer,
University of Cambridge Computing Service, United Kingdom

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message